On 14 Jul 2003 12:22:52 +0100, Mark Lowes wrote:
>
> One of the problems is that there a non-trivial number of these people
> aren't capable of properly securing a machine. Anything a vendor does
> to try and improve the default baseline the better, as long as they
> don't block the option for tho
On Mon, 2003-07-14 at 09:19, Roy S. Rapoport wrote:
[...]
> It sometimes feels as though this mailing list is populated by
> slashdotters, quick to shoot down ideas that are improvements over the
> current situation if they're not perfect.
>
> Is it better to do your own installation? Certainly.
On Sun, Jul 13, 2003 at 10:34:43AM +0100, Scott wrote:
> Maybe I am just a bit paranoid, but how many people would trust a
> vendor to harden a box prior to shipping?
The vast, vast, vast majority of computer users.
> I for one always reinstall from
> clean/trusted media when a new/used box
Good Point, well presented.
;-)
Doc
-Original Message-
From: Ron DuFresne [mailto:[EMAIL PROTECTED]
Sent: Sunday, July 13, 2003 4:20 PM
To: Scott
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
On Sun, 13 Jul 2003, Scott wrote:
>
On Sun, 13 Jul 2003, Scott wrote:
> All,
>
> Maybe I am just a bit paranoid, but how many people would trust a
> vendor to harden a box prior to shipping? I for one always reinstall from
> clean/trusted media when a new/used box comes through the door.
>
> If the hardened box from a v
ay, July 13, 2003 6:31 AM
To: Peter Busser
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
On Fri, 4 Jul 2003, Peter Busser wrote:
> Hi!
>
> > My impression is that until the
> > vendors stepup up to the plate with a better commitment to resp
On Fri, 4 Jul 2003, Peter Busser wrote:
> Hi!
>
> > My impression is that until the
> > vendors stepup up to the plate with a better commitment to responsible
> > reselase of products, they will find that the research community continues
> > to eye them with focused suspicion and outrght cynical s
Normally, if there is a bug with some commercial software, you report it
to the vendor. If there is a bug in some community-supported software,
you report it to the appropriate forum or mailing list. Hmm... if you
have reason to suspect that the vendor will do nothing about your report
and in f
g your software???
Kris Hermansen
- Original Message -
From: "Schmehl, Paul L" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 01, 2003 6:58 PM
Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
> > -Original Message-
> >
Peter Busser <[EMAIL PROTECTED]> wrote:
> Well, why should vendors do that? In fact, if you look at Microsoft's
> profit, I would say it is rewarded for not doing this. ...
Indeed.
> ... Vendors simply
> supply the kind of products people want. Aparently people love insecure
> programs. So tha
>
> take the vendor to court and demand compensation for the damanges
caused by
> badly designed or buggy software. >
> Groetjes,
> Peter Busser
better yet, sue the internet, its insecure and buggy
demand compensation
i should sue my local radio station, they said it was gunna be suny, i
will dem
Hi!
> My impression is that until the
> vendors stepup up to the plate with a better commitment to responsible
> reselase of products, they will find that the research community continues
> to eye them with focused suspicion and outrght cynical spite.
Well, why should vendors do that? In fact, if
t: Re: A Few Realities About Security Re: [Full-Disclosure] Microsoft
Cries Wolf ( again )
You said it, dude.
It sounds like secresearcher was talking out his ass.
If theres a vuln discovered in a piece of software everyone should know
straight away. That way the attackers and defenders are on a
ame:
>
> [full-disclosure]
>
> -- Justin Shin
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Thursday, July 03, 2003 6:41 PM
> Subject: RE: A Few Realities About Security Re: [Full-Disclos
Note the name:
[full-disclosure]
-- Justin Shin
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, July 03, 2003 6:41 PM
Subject: RE: A Few Realities About Security Re: [Full-Disclosure] Microsoft
Cries Wolf ( aga
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OK secresearcher, I call you on this one. If you're not completely full
of crap, release the vuln the day before M$ does. If you do, I will
personally bow to you and publically eat crow. If you don't, please
go away.
Curt
- -Original Message-
I owe you an appology in making my last posting on this topic and in
response to your posting here, seem to be a point of taking potshots at
you, and that was really not my intent. For your narrow focus upon this
issue is no more tunneled and short of sight, or myopic then those that
merely deca
Hi!
> MS needs to get a grip on the security situation, because there are more and
> more people that are able to obtain vuln information, through lists such as
> this one and web sites and newsgroups ... the list goes on. Simply ignoring
> problems will not fix anything. What will it take for MS
> > Along these lines, if the C programming language had a proper
> > string data type from day one, buffer overflows would be much
> > less common today.
Ha! Yeah right - and how would your operating system perform doing
boundary checks on every string operation???
Thus trumpeted Mike Fratto
>> About a year ago, I tripped over this issue. (I have since found out
>> it is a known bug - see http://www.sitepoint.com/print/1029). In an
>> effort to help MS, I spent hours of company time registering to
>> various bug reporting services on MS sites - and never found one that
>> would accept
for MS to get the picture?
My two cents
-- Justin
- Original Message -
From: "Geoincidents" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 02, 2003 7:23 PM
Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
> About a year ago, I tr
> About a year ago, I tripped over this issue. (I have since found out it
> is a known bug - see http://www.sitepoint.com/print/1029). In an effort
> to help MS, I spent hours of company time registering to various bug
> reporting services on MS sites - and never found one that would accept
> my bu
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Reality. I have a critical vulnerability with Microsoft right now. Only
their people and myself - and a few other researchers at my company -
know about it. This affects every Windows OS across the board. You can
be with the US government... or with
Karl DeBisschop ([EMAIL PROTECTED]) writes:
>> As for the criticism on Microsoft's blasting researchers who poorly
>>handle security vulnerabilities, most of it is not valid.
>If MS had a better means of reporting the problem, or handling bug
>reports, I'd be more sympathetic.
>
>My only experien
On Tue, Jul 01, 2003 at 05:58:10PM -0500, Schmehl, Paul L said:
>
> before code is released. (OpenBSD has been doing this for years, and
> look at the results.)
Trojaned release of OpenSSH because the project leader ran a
horribly-coded IRC client on the CVS server? A string of exploits in
Open
On Tue, 2003-07-01 at 20:18, [EMAIL PROTECTED] wrote:
> As for the criticism on Microsoft's blasting researchers who poorly handle
> security vulnerabilities, most of it is not valid.
If MS had a better means of reporting the problem, or handling bug
reports, I'd be more sympathetic.
My only ex
On Tue, 2003-07-01 at 20:18, [EMAIL PROTECTED] wrote:
> As for the criticism on Microsoft's blasting researchers who poorly handle
> security vulnerabilities, most of it is not valid.
If MS had a better means of reporting the problem, or handling bug
reports, I'd be more sympathetic.
My only exp
Ron Dufresne writes:
>> However, a security vulnerability is not, in itself, harmful. What *is*
>> harmful about a security vulnerability are individuals who wish to
>>exploit the flaw. Therefore, the harm from a vulnerability increases
>>dramatically if more people with the ability to exploit t
> -Original Message-
> From: Kristian Hermansen [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2003 3:09 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
>
>
> I agree. It is not our problem. The reason is this.
They tend to cry "foul" alot, and then
often tend to follow through not with work to fix their products, but with
threats and lawsuits, right snosoft? Folks forget too quickly the minor
fallout they had with HP...
it is often so much easier for the vendors PR staff to say "hey shut up
or we wil
le to millions of
customers. I thought .NET was supposed to fix all this ;-P
Kris Hermansen
- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 01, 2003 4:01 PM
Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
>
>
[SNIP]
>
> However, a security vulnerability is not, in itself, harmful. What *is*
> harmful about a security vulnerability are individuals who wish to exploit
> the flaw. Therefore, the harm from a vulnerability increases dramatically
> if more people with the ability to exploit the vu
It only takes 30 seconds to type an email saying hey thanks for
taking the time to let us know... we will get back to you. The no call
no show's (not replying to security related emails) are BS for lack of
better word. Not even acknowledging an issue is a far cry from trying to
work out a f
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
While there is some argument about what makes a vendor un-responsive,
patch
times in this case are, likely and understandably, quite lengthy. These
fixes are not trivial to begin with, thanks in no small part to the
incredible number of customers Mi
>It is quite legal and responsible disclosing bugs.
>Just look into real world - when you buy fucked up beer, do you notify the
>vendor and wait to fix it or act in some other way?
Let's set one thing straight -- I never challenged the legality of it, so I
have no clue where that is coming from.
Code will always have bugs, humans are not perfect,
but risks can be reduced if companies would be more
"responsable" and if they would spend more time,
resources, money in testing their software before
releasing it.
Cesar.
--- Mike Fratto <[EMAIL PROTECTED]> wrote:
> Not to get into a religious
It
would make more sense to research a bit more into why people do this,
how they could be convinced to be more social, and most particularly,
how the process of "decent" disclosure could be facilitated.
Research? Please!?!?!?! Subjects like this have been researched to
death. It doesn't ma
> Along these lines, if the C programming language had a proper
> string data type from day one, buffer overflows would be much
> less common today.
Not to get into a religious argument over this, but if programmers did
proper data scrubbing and bounds checking regardless of the language, th
Amen
On Tue, 2003-07-01 at 07:37, KF wrote:
> >
> >
> >The solution to this problem lies in the hands of the vendors, *not* in the hands
> >of the researchers.
> >
> *This is no lie... after a while one (researchers) simply gets tired of
> bending over backwards
> to get the vendor to listen. Yo
At 11:37 AM 7/1/03 +, KF wrote:
Someone in the .gov get us a vendor responsibility bill or something...
Sure thing. All you need to do is pay your lobbyists more than
the big software vendors pay theirs...
m5x
___
Full-Disclosure - We believe in it
lf Of Schmehl,
Paul L
Sent: Tuesday, July 01, 2003 10:44 AM
To: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] Microsoft Cries Wolf ( again )
> -Original Message-
> From: Peter van den Heuvel [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2003 4:04 AM
> To: [EMAIL PROTECT
The solution to this problem lies in the hands of the vendors, *not* in the hands of the researchers.
*This is no lie... after a while one (researchers) simply gets tired of
bending over backwards
to get the vendor to listen. You get to a point where you simply don't
care sometimes...*
vendors
> -Original Message-
> From: Peter van den Heuvel [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2003 4:04 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Microsoft Cries Wolf ( again )
>
> I find all these posts on irresponsible behaviour a bit s
[EMAIL PROTECTED] wrote:
poor billy, we do not care anymore
http://zdnet.com.com/2100-1105_2-1020919.html
[...]
The ZDNet article hit the point right on the head. It is irresponsible to
leave the vendor uninformed before going public. Doing that helps
It is quite legal and responsible disclosin
Thilo Schulz wrote:
On Tuesday 01 July 2003 00:58, [EMAIL PROTECTED] wrote:
The ZDNet article hit the point right on the head. It is irresponsible to
leave the vendor uninformed before going public. Doing that helps
absolutely nobody. If you're going to take the interpretation of full
disclosur
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tuesday 01 July 2003 00:58, [EMAIL PROTECTED] wrote:
> The ZDNet article hit the point right on the head. It is irresponsible to
> leave the vendor uninformed before going public. Doing that helps
> absolutely nobody. If you're going to take the
The ZDNet article hit the point right on the head. It is irresponsible to
leave the vendor uninformed before going public.
I find all these posts on irresponsible behaviour a bit surprising.
Driving through a red light is irresponsible, blowing oneanothers heads
out with firearms is irresponsibl
> poor billy, we do not care anymore
>
> http://zdnet.com.com/2100-1105_2-1020919.html
[...]
The ZDNet article hit the point right on the head. It is irresponsible to
leave the vendor uninformed before going public. Doing that helps
absolutely nobody. If you're going to take the interpretation
> If you're going to take the interpretation of full
>disclosure literally, notification of the vendor and the public is
>simultaneous.
this was my point, they are complaining about simultaneous
disclosure.
regardless if the exploit is feasable was not my concern, but the
reaction to "Full Disclo
49 matches
Mail list logo
